[HELP] Trouble with VLAN setup on Audience (RBD25G-5HPacQD2HPnD) running RouterOS 7.16.2

Hi,

I’m not an experienced Mikrotik admin (more of an enthusiast) an I would be grateful if members of this forum could help with pointing out where I went wrong when trying to improve my network with use of VLANS (nothing fancy for now, just VLAN for client devices and management VLAN).

First the outline of my test setup:
HEX PoE working as a router
hap ac lite working as bridge/switch
Audience serving as AP and bridge/switch (controlled by CAPsMAN in my actual non-test setup but I did not get as far in my tests)
All devices running RouterOS 7.16.2

I started with configuring HEX PoE and hap ac lite using switch configuration for hardware offloading as suggested here:
https://help.mikrotik.com/docs/spaces/ROS/pages/103841826/Basic+VLAN+switching#BasicVLANswitching-Otherdeviceswithabuilt-inswitchchip

This seems to be working fine with trunk, access and hybrid ports on both devices.

The real troubles started with configuring Audience.

First I realised that I can’t use the same setup method as above, as Audience doesn’t seem to have Switch menu in Winbox, and although I could configure ports and vlan table using terminal I could not finish the configuration by setting vlan-mode=secure. I found this and lack of Switch menu in Winbox strange as Atheros8327 chip on my Audience supports most of switch features (as confirmed in this link):
https://help.mikrotik.com/docs/spaces/ROS/pages/15302988/Switch+Chip+Features#SwitchChipFeatures-Introduction

Anyway, I thought that instead of pondering this, I’ll just drop hardware offloading as (unlike the other two devices) Audience has some resources to spare. I followed the below guide to configure a bridge with VLAN filtering:
https://help.mikrotik.com/docs/spaces/ROS/pages/28606465/Bridge+VLAN+Table

What I’m trying to do at this phase is to configure ether1 and ether2 in a bridge where ether1 is a trunk port with VLAN 10 and 90 tagged, and ether2 is a hubrid port with VLAN 90 tagged and 10 untagged.

Unfortunately I couldn’t get this to work and even though I can see some traffic on VALN 10 and 90 on ether1 I can’t even connect to Audience via Winbox other than through default VLAN 1. Audience can’t reach ntp server either.

This leads me to two questions:

1. Is there a reason why switch configuration in not present on audience with RouterOS 7.16.2 even though it has capable switch chip?
2. Where did I go wrong with the below bridge filtering configuration?

# 1970-01-02 01:31:31 by RouterOS 7.16.2
# software id = 4XZX-9Q65
#
# model = RBD25G-5HPacQD2HPnD
# serial number = D5840DBC5A69
/interface bridge
add name=bridge-lan vlan-filtering=yes
/interface wireless
# managed by CAPsMAN
set [ find default-name=wlan1 ] ssid=MikroTik
# managed by CAPsMAN
set [ find default-name=wlan2 ] ssid=MikroTik
set [ find default-name=wlan3 ] ssid=MikroTik
/interface vlan
add interface=bridge-lan name=MGMT vlan-id=90
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge-lan interface=ether1
add bridge=bridge-lan interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge-lan tagged=ether1 untagged=ether2 vlan-ids=10
add bridge=bridge-lan tagged=bridge-lan,ether2,ether1 vlan-ids=90
/interface wireless cap
# 
set bridge=*7 caps-man-addresses=192.168.90.1 enabled=yes interfaces=\
    wlan2,wlan1
/ip address
add address=192.168.90.6/24 interface=MGMT network=192.168.90.0
/ip dhcp-client
add interface=MGMT
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=IAS-WIFI-2
/system note
set show-at-login=no
/system ntp client servers
add address=192.168.90.1
/system routerboard settings
set auto-upgrade=yes
/tool mac-server
set allowed-interface-list=none
/tool mac-server ping
set enabled=no

I’d appreciate any help and I appreciate that I most likely did something dumb and I just can’t see it yet.

For me the error was using capsman jajaajaja. I can do vlans very easily without capsman, somebody else will have to provide direction.

Thanks Anav, but I don’t think that my problem (for now ) is use of CAPsMAN. As I said I didn’t get as far as even establishing connection with the HEX PoE router where the CAPsMAN is.

I just can’t see where I went wrong with the Bridge VLAN filtering configuration on Audience and why, even though I think Adudience should connect via VLAN 10 and 90 over the trunk port (ether1) it doesn’t seem to work.

As a test, if I connect my PC (with virtual NIC set on port 90) to the same hap ac lite port where audience is meant to be connected, I can get IP from “management” DHCP without problem and connectivity seems to be fine.

IF there was no capsman it would be like so.
This is the audience in ap/switch mode and will assume the vlan10 is the trusted vlan where the audience gets its IP address from.
/ip interface
add name=TRUSTED
/ip interface member
add interface=vlan10 list=TRUSTED

/ip address
add address=vlan10(assigned IP address) interface=vlan10 network=
/interface bridge port
add bridge=bridge-lan ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether1 comment="Trunk Port
add bridge=bridge-lan interface=ether2 pvid=10 comment=“Hybrid Port”

/interface bridge vlan
add bridge=bridge-lan tagged=bridge-lan,ether1 untagged=ether2 vlan-ids=10
add bridge=bridge-lan tagged=ether1,ether2 vlan-ids=90

/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED

Apart from VLAN stuff (@anav already gave you some good advice) … are you intending to use hAP ac lite as AP as well? If not, then you better remove wireless package and install wifi-qcom-ac on Audience, its wireless will really take off and fly. You’ll have to use the new CAPsMAN (available under /interface/wifi … various branches under it). Benefit is that if you intended to run CAPsMAN on main router (hEX PoE), then you don’t have to have wireless package installed there either (new capsman functonality is included in core ROS since 7.13). However, hAP ac lite is not compatible with new capsman …

Hi mkx,

The hAP ac lite in my test setup replaces HEX from my actual network. So I do not intend have this device at all in my eventual setup as AP or otherwise. I currently have old CAPsMAN configuration in my “live” network and translating it to new CAPsMAN and wave2 will most likely be the next challenge once I’ve established a working VALN setup. So one step at a time…

Hi anav,

Thanks for further suggestions. In my original idea I actually meant for vlan 90 to be a trusted vlan where Audience would communicate with other Mikrotik devices and get its IP from, but for the purpose of this test it doesn’t really matter.

I grew tired of disconnecting the Audience from my “live” network for these experiments, but I did few more tests with wiped out hAP ac lite.

I tried to take your example like for like and after adding few things which Mikrotik was complaining about (like declaration of the bridge and vlan10 interface) I arrived at something like this:

/interface bridge
add name=bridge-lan

/interface vlan
add interface=bridge-lan name=vlan10 vlan-id=10

/interface list
add name=TRUSTED

/interface list member
add interface=vlan10 list=TRUSTED

/ip address
add address=192.168.10.6/24 interface=vlan10 network=192.168.10.0

/interface bridge port
add bridge=bridge-lan ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether1 comment="Trunk Port"
add bridge=bridge-lan interface=ether2 pvid=10 comment="Hybrid Port"

/interface bridge vlan
add bridge=bridge-lan tagged=bridge-lan,ether1 untagged=ether2 vlan-ids=10
add bridge=bridge-lan tagged=ether1,ether2 vlan-ids=90

/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED

Is this what you had in mind? This obviously should not have much effect as I intentionally left out enabling vlan filtering so that I could do it as the last step.

When I apply the above from terminal, I can apply all the commands, but then when I enable vlan filtering I need to set pvid. When I set it to 10 (which seems to be a logical choice for this configuration?) I get locked out from the device (I get disconnected and can’t connect again using Winbox).

Interestingly if I import it as .rsc script to a blank device I get the message that script was loaded successfully and get locked out immediately after (I don’t even get a chance to enable vlan filtering).

For completeness, I’m connected to the device via ether2 using PC which accepts untagged traffic on it’s main network interface and vlan 90 on a virtual NIC. The same device connected to a hybrid (stripped vlan10 and tagged vlan90) port configured with switch configuration rather than bridge vlan filtering connects fine, getting IP from DHCP on both interfaces, so I think there is nothing wrong with the client and I’m still messing something up in the bridge vlan filtering configuration.

I’d welcome any further suggestions or troubleshooting steps which I could try.

Many thanks for your suggestions so far!

You forgot to add the address of the device which is provided on the trusted vlan. I usually make this a static lease setting on the main router.

Yes getting locked out doing vlan filtering is a problem thats why I came up with this solution years ago…

to avoid vlan filtering hiccups, and to config from a safe spot, recommend you take etherX off the bridge let say port 5

/interface ethernet
set [ find default-name=ether5 ] name=OffBridge5

/ip address
add address=192.168.65.1/29 interface=OffBridge5 network=192.168.65.0

/interface list member
add interface=Offbridge5 list=LAN { or trusted or base/management whatever is the interface list that is trusted )

Now plug in your laptop into ether5, change ipv4 settings to 192.168.65.2 and you should be in!!!

You might try setting STP to “none”, as you could something could be going into a blocking state during the configuration process. But otherwise it looks right to me…

Also, in 7.16+, it’s safe to set vlan-filtering=yes when you create the bridge, as the default bridge/ports all use a “VLAN 1” & when you add the /interface/vlan for VLAN10, it will automatically add bridge as tagged in /interface/bridge/vlans dynamically.

So, assuming starting from empty configuration and use MAC address in winbox to connect BEFORE connecting to rest of network… I’d break the configuration into two parts. First, get the bridge setup using MAC address in winbox, and the last line will disconnect you.

/interface bridge add name=bridge-lan vlan-filtering=yes
/interface vlan add interface=bridge-lan name=vlan10 vlan-id=10
/ip address add address=192.168.10.6/24 interface=vlan10 network=192.168.10.0
/interface bridge vlan add bridge=bridge-lan tagged=bridge-lan,ether1 untagged=ether2 vlan-ids=10
/interface bridge port add bridge=bridge-lan interface=ether2 pvid=10 comment="Hybrid Port"
/interface bridge port add bridge=bridge-lan ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether1 comment="Trunk Port"

Then plugin the trunk line into ether1, and verify you can access the router. Finally tweak the rest of the security stuff as desired:

/interface list
add name=TRUSTED
/interface list member
add interface=vlan10 list=TRUSTED
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED

Notes:

• /interface/bridge/vlan comes BEFORE /interface/bridge/port with ingress-filtering=yes
• /interface/bridge/vlan will have a dynamic entry (marked with D) with tagged=bridge-lan for PVID 10 in version 7.16+.
• Router would have a 192.168.88.1 even if “empty”, so may need to remove that from IP address
• Set the TRUSTED interface list AFTER getting the VLANs working… since /tool/mac-server is how you’d get into “fix” the VLANs initially

Well … support for VLANs in wifi-qcom-ac package is next to none (while wireless has pretty good support), so if you’re struggling with VLANs on your Audience now, it’ll be worse then. So I suggest you to switch over to wifi-qcom-ac first, wifi configuration done locally will be very similar to the one needed on wifi capsman later. Except for VLANs, you’ll have to be a bit innovative if you want to run Audience with VLANs as capsman client. Unless you’ll have multiple (two or more) APs (running wifi drivers) and you’ll need to run capsman for improved mobility of clients, then using capsman (in your particular case) might be a PITA. If the rest of your devices will be ax devices (running wifi-qcom driver, which supports VLANs better), then you might want to run capsman on audience itself (even if local radios will be configured locally, running capsman on same device will enable improved mobility).

Hi mkx,

Thanks for the warning. In my “live” setup I have 3 Audience APs and no ax devices. If the vlan support in wifi-qcom-ac is somewhat patchy I guess I’ll stick to wireless for now until support for wifi-qcom-ac is improved …if ever

Regarding below point:

You forgot to add the address of the device which is provided on the trusted vlan.

I thought I did that in the config I posted on Monday:

/ip address
add address=192.168.10.6/24 interface=vlan10 network=192.168.10.0

…with vlan10 being included in TRUSTED list.

Did you mean something else?

BTW, thanks for the hint with OffBridge port. It saved me few resets while I’m testing on hAP ac lite which has few extra ports (unlike Audience:) )

Hi Amm0,

Thanks for the config. It goes a little bit further from my original goal (as it does not include vlan 90) but is a good test in my current struggles.

I used the first part of config, and did not go further with the steps for restricting the access as even the first part wasn’t working for me. I thought I’d at least check if PC connected to ether2 will get IP from DHCP on HEX over vlan 10 and, spoiler alert, it did not

I’m pasting a full export in case you can spot something I did wrong.

I also want to assure you that I entered the commands in the order you suggested, even though the export ordered them randomly.

# 1970-01-02 00:29:05 by RouterOS 7.16.2
# software id = 99ZS-54IM
#
# model = RB952Ui-5ac2nD

/interface bridge
add name=bridge-lan vlan-filtering=yes

/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
set [ find default-name=wlan2 ] ssid=MikroTik

/interface ethernet
set [ find default-name=ether5 ] name=OffBridge5

/interface vlan
add interface=bridge-lan name=vlan10 vlan-id=10

/interface list
add name=TRUSTED
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/interface bridge port
add bridge=bridge-lan comment="Hybrid Port" interface=ether2 pvid=10
add bridge=bridge-lan comment="Trunk Port" frame-types=admit-only-vlan-tagged \
    interface=ether1

/interface bridge vlan
add bridge=bridge-lan tagged=bridge-lan,ether1 untagged=ether2 vlan-ids=10

/interface list member
add interface=OffBridge5 list=TRUSTED

/ip address
add address=192.168.65.1/29 interface=OffBridge5 network=192.168.65.0
add address=192.168.10.6/24 interface=vlan10 network=192.168.10.0

/system note
set show-at-login=no
/system routerboard settings
set auto-upgrade=yes

Note that the above config includes the advice from anav for the offBridge port but it should not interfere with vlan filtering.

As I feel I’m growing mad trying to understand what I’m doing wrong, I decided to try my original concept using switch commands while testing on hAP ac lite (i.e. the config that wouldn’t work on Audience due to lack of switch menu). The below config (based on vlan 90 for management, and hybrid tagged 90 and untagged 10 on ether2) worked flawlessly:

# 1970-01-02 01:32:14 by RouterOS 7.16.2
# software id = 99ZS-54IM
#
# model = RB952Ui-5ac2nD

/interface bridge
add name=bridge-lan
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
set [ find default-name=wlan2 ] ssid=MikroTik
/interface vlan
add interface=bridge-lan name=MGMT vlan-id=90
/interface ethernet switch port
set 0 vlan-header=add-if-missing vlan-mode=secure
set 1 default-vlan-id=10 vlan-mode=secure
set 5 vlan-mode=secure
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge-lan interface=ether1
add bridge=bridge-lan interface=ether2
/interface ethernet switch vlan
add ports=ether1,ether2 switch=switch1 vlan-id=10
add ports=ether1,ether2,switch1-cpu switch=switch1 vlan-id=90
/ip address
add address=192.168.90.6/24 interface=MGMT network=192.168.90.0
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=IAS-WIFI-2
/system note
set show-at-login=no
/system ntp client servers
add address=192.168.90.1
/system routerboard settings
set auto-upgrade=yes
/tool mac-server
set allowed-interface-list=none
/tool mac-server ping
set enabled=no

If I had more confidence in my Mikrotik skills I’d start suspecting I came across some kind of bug in ROS 7.16.2, but as things stand I still feel I must be making some dumb error.

I’d welcome further suggestions.

What is not clear is what users is the audience serving.
Acting as an AP/switch it should get at least two vlans from the trunk port on ether1.
vlan10 and lets say vlan90 for management (trusted vlan) and where Audience gets it IP address from.

What is on ether2?? eth3 and eth4? In other words refresh my memory why were we thinking hybrid port??

/interface bridge
add name=bridge-lan vlan-filtering=no { change to yes as last step }
/interface ethernet
set [ find default-name=ether5 ] name=OffBridge5
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
set [ find default-name=wlan2 ] ssid=MikroTik
/interface vlan
add interface=bridge-lan name=MGMT vlan-id=90
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface list
add name=TRUSTED
/interface list member
add interface=MGMT list=TRUSTED
add interface=OffBridge5 list=TRUSTED
/interface bridge port
add bridge=bridge-lan ingress-filtering=yes frame-type=admit-only-vlan-tagged interface=ether1 comment="trunk port from hex"
add bridge=bridge-lan ingress-filtering=yes frame-type=admit-only-priority-and-untagged interface=ether2 pvid=10 comment="access port to PC"
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/interface bridge vlan
add bridge=bridge-lan tagged=ether1  untagged=ether2  vlan-id=10
add bridge=bridge-lan tagged=ether1,bridge-lan  vlan-ids=90
/ip dns
set server=192.168.90.1
/ip address
add address=192.168.90.6/24 interface=MGMT network=192.168.90.0
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.90.1
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=IAS-WIFI-2
/system note
set show-at-login=no
/system ntp client servers
add address=192.168.90.1
/system routerboard settings
set auto-upgrade=yes
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED

Hi anavk0,

Sorry for a long silence. It took me a while to find a moment to do some more experiments in my test setup and then had few additional surprises when trying to transfer my findings to the live setup.

First of all. Thanks for the config example. Regrettably, it did not work just as all the previous configs I tried.

However, I came back to the suggestion from Amm0 which I initially either misunderstood or overlooked while focusing on the config.

The comment which made your example work for me, and also made my original “hybrid-port” config work was this:

You might try setting STP to “none”

To my surprise after disabling RSTP, the vlan filtering finally started working, i.e. the PC connected to the hybrid port received IPs on both: physical NIC (untagged traffic, 192.168.1.0 network) and virtual NIC (tagged vlan 90, 192.168.90.0 network)

What’s more, after adding Capsman to my test configuration Cap provisioning also worked (although I have some issues with Wifi performance which I’ll try to seek some further guidance on in a new post.

All in all, it seems that the suggestion from Amm0 solved my issue for now, and below is my working Audience config with hybrid ether2 port and Capsman.

# 2024-12-27 15:17:47 by RouterOS 7.16.2
# software id = 4XZX-9Q65
#
# model = RBD25G-5HPacQD2HPnD

/interface bridge
add name=bridge-lan protocol-mode=none pvid=90 vlan-filtering=yes
/interface wireless
# managed by CAPsMAN
# channel: 2412/20-Ce/gn(16dBm), SSID: domek-wifi, CAPsMAN forwarding
set [ find default-name=wlan1 ] ssid=MikroTik
# managed by CAPsMAN
# channel: 5180/20-Ceee/ac/P(18dBm), SSID: domek-wifi, CAPsMAN forwarding
set [ find default-name=wlan2 ] ssid=MikroTik
set [ find default-name=wlan3 ] ssid=MikroTik
/interface vlan
add interface=bridge-lan name=MGMT vlan-id=90
/interface list
add name=TRUSTED
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge-lan comment="trunk port from hex" frame-types=\
    admit-only-vlan-tagged interface=ether1
add bridge=bridge-lan comment="hybrid port for PC" interface=ether2 pvid=10
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/interface bridge vlan
add bridge=bridge-lan tagged=ether1,bridge-lan untagged=ether2 vlan-ids=10
add bridge=bridge-lan tagged=ether1,ether2,bridge-lan vlan-ids=90
/interface list member
add interface=MGMT list=TRUSTED
/interface wireless cap
# 
set caps-man-addresses=192.168.90.1 enabled=yes interfaces=wlan2,wlan1
/ip dhcp-client
add interface=MGMT
/ip dns
set servers=192.168.90.1
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.90.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=IAS-WIFI-2
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.90.1
/system routerboard settings
set auto-upgrade=yes
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED

For completeness, let me answer your questions.

What is not clear is what users is the audience serving.

My intent is for audience to act as AP allowing wireless clients to get IP and internet access from 192.168.1.1 (HEX) acting as gateway and DHCP server.

The Audience itself should get its IP from MGMT network 192.168.90.0 on vlan 90.

The ether2 port may be occasionally used to connect a laptop via wired network for extra stability, or to allow direct management access (hence the hybrid port).

Acting as an AP/switch it should get at least two vlans from the trunk port on ether1.

Yes that was the idea in my initial config.

What is on ether2?? eth3 and eth4? In other words refresh my memory why were we thinking hybrid port??

Audience only has two ports and I covered ether2 above.While testing on hap ac lite I used ether5 not to loose access to the device while trying to get the config right.

All in all, I hardly have any spare ports on my home network. so I’m trying to configure one hybrid port on each device to allow management access but to to rule out that port from general use.

Many thanks to everyone for your suggestions, and I’ll come back with a new post about capsman performance once I make my configs more readable